b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n     DISABILITY DETERMINATION\n          SERVICES\xe2\x80\x99 USE OF\n      SOCIAL SECURITY NUMBERS\n  ON THIRD-PARTY CORRESPONDENCE\n\n\n  September 2005    A-04-05-15098\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                           SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 19, 2005                                                                      Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Disability Determination Services\xe2\x80\x99 Use of Social Security Numbers on Third-Party\n        Correspondence (A-04-05-15098)\n\n\n        OBJECTIVE\n\n        The objective of our review was to determine whether Disability Determination Services\n        (DDS) were complying with the Social Security Administration\xe2\x80\x99s (SSA) revised policy\n        limiting the disclosure of Social Security numbers (SSN) to third parties.1\n\n        BACKGROUND\n\n        The Disability Insurance (DI) program, established in 1954 under Title II of the Social\n        Security Act, provides benefits to disabled wage earners and their families in the event\n        the wage earner becomes disabled. In 1972, Congress enacted the Supplemental\n        Security Income (SSI) program under Title XVI of the Social Security Act. The SSI\n        program provides payments to financially needy individuals who are aged, blind or\n        disabled.\n\n        SSA is responsible for implementing policies for developing disability claims under the\n        DI and SSI programs. Disability determinations under both DI and SSI are performed\n        by a DDS in each State or other responsible jurisdiction according to Federal\n        regulations.2 In carrying out its obligation, each DDS is responsible for determining\n        claimants\xe2\x80\x99 disabilities and ensuring adequate evidence is available to support its\n        decisions. Each DDS is authorized to request relevant information from third parties to\n        assist in processing a claimant\xe2\x80\x99s disability application. As part of the disability\n        determination process, SSA and its affiliated DDSs request about 15 million medical\n        and other records from third parties, annually. These third parties include, but are not\n        1\n         For the purposes of this report, third parties include any source of information that is used in making a\n        disability determination, other than the claimant, legal representative of a claimant, or parent/guardian of\n        a dependent claimant.\n        2\n            20 C.F.R. part 404, subpart Q and part 416, subpart J.\n\x0cPage 2 - The Commissioner\n\n\nlimited to, medical providers; employers; educational sources; and family, friends or\nneighbors.\n\nOur December 2002 report, Review of Social Security Administration Controls over the\nAccess, Disclosure and Use of Social Security Numbers by External Entities, identified\ninstances in which DDS personnel unnecessarily displayed SSNs on documents and\nquestionnaires sent to third parties. In response to this audit, SSA issued Policy\nInstruction Disability Determination Services Administrators\xe2\x80\x99 Letter (DDSAL) 638,\neffective June 20, 2003, to DDSs advising that SSNs should not be displayed on\ndocuments sent to external entities that do not need to know the individual\xe2\x80\x99s SSN. SSA\nthen issued Policy Instruction AM-03163, effective September 16, 2003, to DDSs\nadvising that claimants\xe2\x80\x99 SSNs should be omitted or redacted when personnel send\ncertain forms to third parties. Neither of these policies, however, specified what third\nparties had a genuine \xe2\x80\x9cneed\xe2\x80\x9d for the claimant\xe2\x80\x99s SSN when the DDSs were requesting\ninformation for the disability determination process.\n\nIn December 2004, the President signed into law the Intelligence Reform and Terrorism\nPrevention Act of 2004 (Act). The Act requires that the Commissioner of Social\nSecurity, in consultation with the Secretary of Homeland Security, form an interagency\ntask force to further improve the security of social security cards and numbers.3 In\nresponse to this legislation, SSA workgroups are exploring better methods of securing\nSSNs, including determining whether SSNs should be printed on the millions of notices\nit mails to the public, annually.\n\nSSA is implementing the electronic disability (eDib) program at all DDSs. When eDib is\nfully implemented, records related to DI claims will be maintained in a paperless,\nelectronic folder. During the transition to eDib, DDSs will process claims and perform\ncontinuing disability reviews in both a paper and electronic environment. In either\nenvironment, DDSs can still include or exclude the SSN on correspondence sent to third\nparties.\n\nSee Appendix B for the scope and methodology of our review.\n\nRESULTS OF REVIEW\nSSA\xe2\x80\x99s recent guidance to DDSs did not specify what third parties \xe2\x80\x9chave a need to know\xe2\x80\x9d\nthe claimant\xe2\x80\x99s SSN. Therefore, each DDS could interpret the guidance as it deemed\nappropriate. As a result, DDSs inconsistently applied SSA\xe2\x80\x99s policy and included the\nSSN on correspondence to various third parties, many of whom we believe did not need\nthe SSN to locate and provide disability information to the DDSs. Given the prevalence\nof identity theft and the inherent and recent legislatively mandated responsibility SSA\nhas for ensuring SSN integrity, we believe SSA and its partners must be zealous in\nsecuring the privacy and limiting any unnecessary exposure of these numbers.\n\n\n3\n    Pub. L. No. 108-458, \xc2\xa77213(b).\n\x0cPage 3 - The Commissioner\n\n\nSpecifically, we believe SSA should set a standard for the rest of Government and\nprivate industry.\n\nQuestionnaire responses and accompanying documentation provided by all 52 DDSs\nidentified that 51 (98 percent) of the 52 DDSs provide SSNs to at least 1 of the following\nthird parties: medical providers, employers, educational sources, and friends and/or\nrelatives of the claimant. In addition, many of the DDSs disclosed SSNs to interpreters\nwho assisted claimants who did not speak English or were hearing-impaired. The\nfollowing table details, by third party, the number of DDSs that disclosed the SSN when\nrequesting or obtaining disability-related information.\n\n                     Table 1: DDS\xe2\x80\x99 Disclosure of SSNs to Third Parties\n\n                                 Number of        Number of         Percentage of DDSs\n                               DDSs that Used        DDSs         that Disclosed the SSN\n                                     the        that Disclosed    (When Third Party was\n           Third Party           Third Party       the SSN                 Used)\n    Medical Providers                 52              51                     98\n    Educational Community             51              44                     86\n    Employers                         38              32                     84\n    Language Interpreters             45              21                     47\n    Friends/Family/Neighbors          51              14                     27\n\nDuring our review, we identified one DDS that discontinued the practice of releasing\nSSN information to any third-party source. The Vermont DDS stopped using SSNs on\nthird-party correspondence in August 2003. In lieu of SSNs, the DDS used case\nnumbers on correspondence to third parties, including medical sources and employers.\nThe DDS\xe2\x80\x99 effort to eliminate SSNs from third-party correspondence was not costly and\nmet little resistance from third parties. We believe the practice employed by the\nVermont DDS demonstrates that disability information can be obtained from third parties\nwithout disclosing a claimant\xe2\x80\x99s SSN.\n\nIn March 2005, after we issued our questionnaire, SSA issued a new policy regarding\nhow DDSs should obtain and develop evidence from the education community.4 To our\nconcern, the policy specifically instructs DDSs to include the claimant\xe2\x80\x99s SSN on certain\nforms sent to educational sources. This new policy appears contrary to SSA\xe2\x80\x99s earlier\npolicy instruction that advised the DDSs to omit or redact the SSN on forms sent to third\nparties without a need for the number. Further, we believe the new policy is contrary to\nSSA\'s efforts to improve SSN security and to comply with provisions of the Act.\n\n\n\n\n4\n Program Operations Manual System (POMS) DI 22505.028, Developing Evidence from the Education\nCommunity.\n\x0cPage 4 - The Commissioner\n\n\nFinally, SSA\xe2\x80\x99s eDib program does not always eliminate DDS\xe2\x80\x99 disclosure of SSNs on\nthird-party correspondence. The eDib program automatically generates standardized\nrequests for third-party information. Unless suppressed, the program software causes\nthe SSN to be printed on this correspondence. Based on conversations with\nresponsible SSA personnel, we determined the Agency has encouraged DDSs to\nsuppress the SSN on some third-party correspondence. However, on other forms, SSA\nrequires the DDSs to include the SSN.\n\nWe recognize the SSN is a key component in SSA\xe2\x80\x99s disability determination process\nand, until recently, using and disclosing a claimant\xe2\x80\x99s SSN, when necessary, to facilitate\nthis process was not problematic. However, with the ever-increasing occurrences of\nidentity theft, we believe the status quo is no longer appropriate. Accordingly, we\nencourage SSA and its partners to consider reducing the frequency with which they\ndisclose SSNs to third parties to gather disability-related information.\n\nMEDICAL PROVIDERS\n\nWe found that 51 (98 percent) of the 52 DDSs provided SSNs on written\ncorrespondence to physicians, hospitals, psychiatrists, and consultative examination\nproviders. Many of the DDSs explained the SSN was needed on written\ncorrespondence to ensure they received information for the correct disability applicant.\nThe DDSs explained that this practice was in compliance with SSA\xe2\x80\x99s Policy Instruction\nDDSAL 638, because the medical providers needed to know the SSNs to ensure\naccurate record retrieval. Further, other SSA policy instructs DDSs to include the\nclaimant\xe2\x80\x99s SSN on information requests sent to medical providers5 and to ensure the\nclaimant\xe2\x80\x99s SSN is on medical reports received from the providers.6\n\nWe agree it is imperative that DDSs obtain medical information for the correct person.\nWe also acknowledge that many medical sources use the SSN as a unique patient\nidentifier and therefore already have a claimant\xe2\x80\x99s SSN. However, not all medical\ninformation used to determine a claimant\xe2\x80\x99s disability is obtained from the claimant\xe2\x80\x99s\ntreating physician or from prior medical records. In fact, DDSs routinely contract with\nmedical providers to obtain consultative examinations regarding a claimant\xe2\x80\x99s current\ndisability. In many cases, these medical providers have not previously treated the\nclaimant and therefore do not know the claimant\xe2\x80\x99s SSN. In these situations, the medical\nproviders do not need to know the SSN to correctly identify the claimant or to retrieve\nmedical records. Accordingly, we believe SSA should consider whether DDSs need to\ninclude the SSN on letters or forms sent to health care providers who are seeing the\nclaimant for the first time.\n\n\n\n\n5\n    POMS DI 22505.021, Developing Evidence from Hospitals and Clinics.\n6\n    POMS DI 39542.240, Consultative Examination Reports \xe2\x80\x93 DDS.\n\x0cPage 5 - The Commissioner\n\n\nAlso, our analysis of the initial DDS questionnaire responses determined that one DDS\nhad ceased including SSNs on correspondence to medical providers and had begun\nusing an internal case number. DDS representatives told us eliminating the SSN from\nthird-party correspondence required nominal cost and met little resistance from medical\nproviders. We believe this practice demonstrates that other DDSs may be able to\ndiscontinue routinely including SSNs on correspondence to medical third-party sources\nthereby limiting the exposure of claimants\xe2\x80\x99 SSNs to potential misuse.\n\nEDUCATIONAL SOURCES\n\nOnly one of the DDSs responded that it did not collect information from educational\nsources when processing disability claims. Of the remaining 51 DDSs, 44 (86 percent)\nprovided SSNs on written correspondence to educational sources, such as schools and\nteachers.\n\nWe do not believe educational sources need a claimant\xe2\x80\x99s SSN. The claimant\xe2\x80\x99s name\nand, if necessary, date of birth should be adequate for the educational source to\naccurately identify the claimant in question. In fact, before our audit, seven DDSs\xe2\x80\x94\nincluding two of SSA\xe2\x80\x99s larger DDSs\xe2\x80\x94eliminated the SSN from correspondence sent to\neducational sources. Also, in response to our audit and questionnaire, one DDS\ndeveloped and issued policy advising its staff not to include SSNs on teacher forms or\nletters to schools because most schools identify students using the date of birth.\nFurther, an official at this DDS stated the process of eliminating the SSN on\ncorrespondence to educational sources required minimal effort and little cost. The DDS\nofficial also stated that the change did not hinder the DDS\xe2\x80\x99 ability to obtain required\ninformation from educational sources. We applaud the proactive measures taken by the\nDDS.\n\nNew SSA Policy Requires the SSN on Forms Sent to Educational Sources\n\nIn March 2005, SSA issued a new policy, POMS DI 22505.028, instructing DDSs on\nobtaining and developing evidence from the education community. The policy explains\nwhat forms should be used, what information should be obtained, and from whom it\nshould be obtained. Contrary to SSA\xe2\x80\x99s earlier instructions to the DDSs and its ongoing\nefforts to protect the SSN, this new policy specifically instructs DDSs to include the\nclaimant\xe2\x80\x99s SSN on forms sent to educational sources. The forms identified in the policy\nare listed below.\n\n\xe2\x80\xa2   Form SSA-827, Authorization to Release Information to the Social Security\n    Administration. Federal laws and regulations require that schools have specific\n    authorization from a child\xe2\x80\x99s parent, caregiver, or guardian before disclosing\n    information about the individual to a third party. All of SSA\xe2\x80\x99s requests for information\n    from the education community must be sent under the cover of a Form SSA-827.\n\x0cPage 6 - The Commissioner\n\n\n\xe2\x80\xa2   Form SSA-5665, Teacher Questionnaire, requests information directly from teachers\n    or instructors based on their personal observations of an individual\xe2\x80\x99s day-to-day\n    functioning in both academic activities and social interactions.\n\n\xe2\x80\xa2   Form SSA-5666, Request for Administrative Information, requests information from\n    administrative personnel that can be obtained from an individual\xe2\x80\x99s existing education\n    records. For example, information from psychological and academic testing,\n    speech-language therapy progress notes, and comprehensive evaluations.\n\nWe discussed the new policy with SSA to determine its rationale for requiring that DDSs\ninclude the claimant\xe2\x80\x99s SSN on informational requests sent to the educational sources.\nThe SSA official responsible for developing the policy explained that most schools and\nother educational institutions need to know a claimant\xe2\x80\x99s SSN to ensure that students\xe2\x80\x99\nrecords are accurately identified and retrieved efficiently and timely. We understand the\ninformation DDSs obtain from educational sources is critical to the claims process and\nmust be properly matched to SSA\xe2\x80\x99s claimants. However, we do not believe educational\nsources routinely need an SSN to accurately identify information related to a\nstudent/claimant. This is evident in the fact that, before this policy was issued,\nseven DDSs eliminated the SSN from correspondence sent to educational sources.\nFurther, in response to our questionnaire, none of the seven DDSs reported this change\nwas met with resistance from the educational community. Accordingly, we encourage\nSSA to reconsider the appropriateness of this recently issued policy.\n\nFRIENDS AND/OR RELATIVES OF THE CLAIMANT\n\nFifty-one of the DDSs collected information from a claimant\xe2\x80\x99s friends and/or relatives\nwhen making disability determinations. Of the 51 DDSs, 14 (27 percent) included the\nclaimant\xe2\x80\x99s SSN on correspondence to these third-party sources.\n\nWe do not believe friends and/or relatives of a disability claimant have a need to know\nthe claimant\xe2\x80\x99s SSN. These third parties, by definition, already have some type of\nrelationship with the claimant. No information other than the name should be necessary\nto identify the claimant to friends or family. Accordingly, we believe SSA should take\nmeasures to ensure DDSs do not disclose claimants\xe2\x80\x99 SSNs to friends and/or relatives.\n\nEMPLOYERS\n\nFourteen of the DDSs responded that they did not send correspondence to a claimant\xe2\x80\x99s\ncurrent or former employers to assist in making a disability determination. However, of\nthe 38 DDSs that did obtain information from employers, 32 (84 percent) included\nclaimants\xe2\x80\x99 SSNs on correspondence to those employers.\n\x0cPage 7 - The Commissioner\n\n\nAs with medical sources, we acknowledge employers already have their employees\xe2\x80\x99\nSSNs. Employers use employees\xe2\x80\x99 SSNs for various purposes, including payroll,\nproviding health and other insurance benefits, and reporting wages to SSA. However,\nsix of the DDSs did not provide claimants\xe2\x80\x99 SSNs to sources of work information. We\nbelieve this practice reduces the risk of fraudulent SSN attainment and misuse.\n\nINTERPRETERS\n\nDDSs occasionally use interpreters to assist claimants who do not speak English or are\nhearing-impaired. In fact, 45 of the 52 DDSs responded that they used interpreter\nservices. Of these, 21 (47 percent) provided the claimant\xe2\x80\x99s SSN to interpreters. In\nmany cases, these interpreters also had access to other personal information, such as\ndates of birth and addresses.\n\nWe believe the disclosure of SSNs to interpreters entails significant risk because most\nDDSs do not perform background checks on interpreters or require that the interpreters\nsign an agreement prohibiting the disclosure of claimants\xe2\x80\x99 SSNs or other personal\ninformation to unauthorized parties. In response to our audit and questionnaire, one\nDDS developed and issued policy advising its staff not to provide SSNs to interpreters.\nAlso, with minimal effort, the DDS developed an agreement that must be signed by all\ninterpreters who work for the DDS. This document requires that interpreters agree not\nto disclose any information regarding disability claimants learned through acting as an\ninterpreter for the DDS. We applaud the proactive measures taken by this DDS.\n\nELIMINATING THE SSN FROM THIRD-PARTY CORRESPONDENCE\n\nThe Vermont DDS did not include claimants\xe2\x80\x99 SSNs on correspondence to any third\nparties. An official from the DDS stated it stopped using SSNs on third-party\ncorrespondence in August 2003 after SSA issued policy advising all DDSs to safeguard\nSSNs. In lieu of SSNs, the DDS used case numbers on correspondence, including\nrequests for information from medical sources and employers. In addition, the Vermont\nDDS did not disclose SSNs to interpreters yet still required that they sign a statement\nagreeing to keep all claimant information confidential.\n\nThe DDS Director stated that the DDS\xe2\x80\x99 efforts to eliminate the SSN from third-party\ncorrespondence required minimal work. Although the DDS did not specifically track the\nconversion costs, the Director believed the costs were insignificant. Also, the Director\nstated the DDS encountered little resistance to the change.\n\nThe practice employed by the Vermont DDS demonstrates that information can be\nobtained from third parties without disclosing a claimant\xe2\x80\x99s SSN. Although we anticipate\nmany DDSs would encounter some challenges in eliminating the SSN from third-party\ncorrespondence, we believe SSA should be in the national forefront of establishing\npolicy and practice by limiting SSN use and disclosure.\n\x0cPage 8 - The Commissioner\n\n\nIMPACT OF ELECTRONIC DISABILITY ON SSN USAGE\n\nDDSs nationwide are implementing SSA\xe2\x80\x99s eDib program. When fully implemented,\neDib will enable DDSs to maintain DI related documents in a paperless, electronic\nfolder. Until eDib is fully implemented, DDSs will process claims and perform continuing\ndisability reviews in both a paper and electronic environment.\n\nThe Vermont DDS, which eliminated the SSN from third-party correspondence in the\npaper environment, is transitioning its case workload to the eDib environment. As such,\nsome DI cases are being processed using an electronic case folder. The Vermont DDS\nDirector informed us that third-party correspondence automatically generated through\neDib included claimants\xe2\x80\x99 SSNs. SSA\xe2\x80\x99s eDib program generates third-party informational\nrequests, in paper form, that are mailed to various informational sources. The requests\nalso act as a return cover letter. The request letters are electronically imprinted with a\nbar code, so when third parties return the letters and the requested information to the\nDDS, the bar code can be used to electronically track and file information at the case\nlevel. However, unless it is purposely suppressed, the claimant\xe2\x80\x99s SSN is printed under\nthe bar code.\n\nWe discussed this matter with responsible SSA officials. The officials informed us that\nthe Agency was aware of the issue and have encouraged DDSs to suppress the\nnumber on some notices. However, Agency officials also stated that the SSN will\ncontinue to be included on certain forms sent to third parties. For example, when\nobtaining medical evidence, SSA requires that DDSs include Form SSA-827,\nAuthorization to Disclose Information to the Social Security Administration, with each\nrequest sent to medical healthcare providers. Although we understand the necessity of\nform SSA-827, we do not believe the claimant\xe2\x80\x99s SSN needs to be disclosed on the form.\nAccordingly, we believe SSA should assess the viability of eliminating the SSN from\nform SSA-827 or explore alternatives to displaying the entire SSN on the form.\n\nCONCLUSION AND RECOMMENDATIONS\n\nIn our opinion, each time an individual\xe2\x80\x99s SSN is divulged, the potential for fraudulent\nactivity increases. In fact, according to a 2002 Government Accountability Office report,\nSSNs, along with names and birth certificates, are among the three personal identifiers\nmost often sought by identity thieves.7 Despite the potential risks associated with\nproviding SSNs to third parties, most DDSs continue this practice. While most DDSs\nbelieve some SSN disclosure to third parties is warranted, one DDS proved that\ninformation can be collected from third parties\xe2\x80\x94including medical sources\xe2\x80\x94without\ndivulging a claimant\xe2\x80\x99s SSN.\n\n\n\n\n7\n Social Security Numbers \xe2\x80\x93 Government Benefits from SSN Use but Could Provide Better Safeguards,\nGAO-02-352 (May 2002).\n\x0cPage 9 - The Commissioner\n\n\nRecently issued policy requiring that DDSs include the SSN on information requests to\nthe educational community appears contrary to earlier SSA policy instructing DDSs to\neliminate the SSN from correspondence to third parties that do not need the SSN. We\ndo not believe educational sources need a claimant\xe2\x80\x99s SSN to provide disability-related\ninformation about that individual.\n\nAs SSA and the DDSs migrate their DI case workload to eDib, SSN disclosure to third\nparties is still a concern. Currently, third-party correspondence generated through eDib\nincludes the claimant\xe2\x80\x99s SSN unless the DDSs specifically suppress the SSN. Further,\nas part of the eDib procedures, DDSs are instructed to include form SSA-827 (which\nincludes the claimant\xe2\x80\x99s SSN) with each request sent to medical providers.\n\nWe recommend that SSA:\n1. Clarify existing policy to define what third parties may be provided a claimant\xe2\x80\x99s SSN\n   as a part of the DDS\xe2\x80\x99s disability determination process. To ensure SSN integrity, we\n   believe the SSN should only be disclosed when it is critical to a third party\xe2\x80\x99s ability to\n   adequately respond to the DDS\xe2\x80\x99s information request.\n2. Evaluate the viability of eliminating a claimant\xe2\x80\x99s SSN from the Form SSA-827 or\n   explore alternatives to displaying the entire SSN on the form.\n3. Implement policy requiring DDSs to develop and use confidentiality agreements\n   prohibiting language interpreters from disclosing SSNs and other personal\n   information to unauthorized parties.\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nSSA agreed with Recommendations 1 and 2 of our report. However, the Agency\ndisagreed with Recommendation 3. In response to this recommendation, SSA stated its\npolicy requires qualified language interpreters to comply with SSA\xe2\x80\x99s requirements to\nprotect confidential information. The Agency further explained that, because DDSs do\nnot always contract directly with language interpreters for interpretive services, it is not\npractical to implement our recommendation. However, SSA stated it recognizes the\nimportance of protecting confidential information, and as a result of our\nrecommendation, will issue policy that reminds DDSs to inform language interpreters\nthat they are prohibited from disclosing SSNs and other personal information to\nunauthorized parties. Although, we believe such notification would be best\ncommunicated to language interpreters via written confidentiality agreements, SSA\xe2\x80\x99s\nproposed action addresses the intent of our recommendation. Therefore, we consider\nSSA\xe2\x80\x99s response to the recommendation adequate. The full text of SSA\xe2\x80\x99s comments is\nincluded in Appendix C.\n\n\n\n                                                  S\n                                                  Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                  Appendix A\n\nAcronyms\nAct           Intelligence Reform and Terrorism Prevention Act of 2004\nC.F.R.        Code of Federal Regulations\nDDS           Disability Determination Services\nDDSAL         Disability Determination Services Administrators\xe2\x80\x99 Letter\nDI            Disability Insurance\neDib          Electronic Disability\nOIG           Office of the Inspector General\nPOMS          Program Operations Manual System\nPub. L. No.   Public Law Number\nSSA           Social Security Administration\nSSI           Supplemental Security Income\nSSN           Social Security Number\n\x0c                                                                     Appendix B\n\nScope and Methodology\nOur review was limited to gaining an understanding of the extent to which Disability\nDetermination Services (DDS) disclosed Social Security numbers (SSN) to third parties.\nWe did not attempt to define the risks associated with SSN disclosure, other than the\nknown risks of identity theft. Additionally, we did not attempt to identify any specific\ninstances of fraudulent activity when DDSs disclosed SSNs to third parties.\n\nTo accomplish our objective, we distributed a questionnaire to the Directors of the\nCenters for Disability in all 10 Social Security Administration (SSA) regions. The\nDirectors then distributed the questionnaire to each DDS in their respective areas of\njurisdiction. Each DDS was asked to provide detailed answers, as well as examples of\nforms and letters used to obtain information from third parties. We reviewed each of the\nresponses from the 52 DDSs. Where necessary, we followed up to determine the\nextent to which SSNs were included on third-party correspondence DDSs used to obtain\ninformation related to disability determinations. We also held discussions with\nrepresentatives from the Office of Disability and Income Security Programs regarding\nthe impact SSA\xe2\x80\x99s electronic disability process has on DDSs\xe2\x80\x99 efforts to limit SSN\ndisclosure to third parties. The SSA entity reviewed was the Office of Disability and\nIncome Security Programs. We conducted our audit from November 2004 through April\n2005 in accordance with generally accepted government auditing standards.\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                       SOCIAL SECURITY\n\nMEMORANDUM\n\n                                                                                34295-24-1338\nDate:      September 6, 2005                                                    Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cDisability Determination Services\xe2\x80\x99 Use of\n           Social Security Numbers on Third-Party Correspondence\xe2\x80\x9d (A-04-05-15098)\xe2\x80\x94INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft\n           report\xe2\x80\x99s recommendations are attached.\n\n           Please let me know if you have any questions. Staff inquiries may be directed to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                     C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "DISABILITY DETERMINATION SERVICES\' USE OF SOCIAL\nSECURITY NUMBERS ON THIRD-PARTY CORRESPONDENCE" (A-04-05-\n15098)\n\n\nThank you for the opportunity to review and comment on the draft report. Over the\nyears, SSA has worked diligently to refine our own internal processes and has actively\nparticipated in interagency workgroups to ensure that the Social Security number (SSN)\nis only disclosed when there is an absolute business need. We appreciate OIG\xe2\x80\x99s efforts in\nidentifying areas where potential weaknesses exist and we found this report helpful in\nproviding recommendations that will assist us in taking the steps necessary to protect the\nintegrity of the SSN for the adjudication of our disability claims.\n\nWe agree that the Vermont Disability Determination Services (DDS) practice appears to\nbe an effective means of protecting the SSN for disability claimants. If necessary in the\ncoming months, we will obtain additional information on their experiences with the\nelimination of the SSN on correspondence and other claims-related material.\n\nRegarding the finding that the eDib program does not always eliminate the DDS\'\ndisclosure of SSNs on third-party correspondence, it is true that DDSs are encouraged to\nsuppress the SSN on some third-party correspondence and that we require the DDSs to\ninclude the SSN on some forms. As we continue to develop the system, we will explore\noptions for a systems change that would display only the last four digits on third-party\ncorrespondence. In rare cases, when the entire SSN must be on the third-party\ncorrespondence, DDS personnel would have an optional mechanism for manually typing\nin the entire SSN. However, it will take some time to get software changes in place.\n\nOur responses to the specific recommendations are provided below.\n\nRecommendation 1\n\nThe Social Security Administration (SSA) should clarify existing policy to define what\nthird parties may be provided a claimant\xe2\x80\x99s SSN as a part of the DDS\xe2\x80\x99s disability\ndetermination process. To ensure SSN integrity, we believe the SSN should only be\ndisclosed when it is critical to a third party\xe2\x80\x99s ability to adequately respond to the DDS\xe2\x80\x99s\ninformation request.\n\nResponse\n\nWe agree. A claimant\xe2\x80\x99s SSN should only be disclosed when it is critical to a third party\xe2\x80\x99s\nability to adequately respond to a DDS\xe2\x80\x99s information request. We will review and, to the\nextent necessary, clarify our existing policy to more clearly define which third parties\nshould be provided a claimant\xe2\x80\x99s full or partial SSN as part of the DDS evidence\ncollection process.\n\n\n\n                                            C-2\n\x0cRecommendation 2\n\nSSA should evaluate the viability of eliminating a claimant\xe2\x80\x99s SSN from the form\nSSA-827 or explore alternatives to displaying the entire SSN on the form.\n\nResponse\n\nWe agree. We will evaluate the viability of either eliminating a claimant\xe2\x80\x99s full SSN from the\nSSA-827 (Authorization to Disclose Information to SSA) or, alternatively, displaying\nonly the last four digits of the SSN. We note that because some medical records are\nstored by SSN, the DDSs will need to ensure they provide third parties with enough\nidentifying information to distinguish between individuals with common names.\n\nRecommendation 3\n\nImplement policy requiring DDSs to develop and use confidentiality agreements\nprohibiting language interpreters from disclosing SSNs and other personal information to\nunauthorized parties.\n\nResponse\n\nWe disagree. Our Program and Operations Manual System (POMS) Disability\nInstruction (DI) 23040 contains comprehensive DDS instructions regarding the use of\nlanguage interpreters. Additionally, SSA requires all \xe2\x80\x9cqualified interpreters\xe2\x80\x9d to agree to\ncomply with disclosure and confidentiality of information requirements. There are\nvarious sources for obtaining interpreters, including the SSA nationwide Telephone\nInterpreter Services (TIS), State-contracted services and DDS and field office employees.\nSince there is no one source for interpreters, it is not feasible to implement the\nrecommendation, particularly when the DDS uses the SSA TIS service or a State-\nadministered service to which it does not have direct connection. We will, however,\ninclude instructions in POMS reminding the DDS to inform interpreters that they are\nprohibited from disclosing the SSN and other personal information to unauthorized\nparties.\n\n\n\n\n                                           C-3\n\x0c                                                                        Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly A. Byrd, Director, (205) 801-1605\n\n   Frank Nagy, Audit Manager, (404) 562-5552\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Mike Leibrecht, Senior Auditor\n\n   Valerie Ledbetter, Auditor\n\n   Kim Beauchamp, Writer/Editor\n\nFor additional copies of this report, please visit our web site at http://www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-3218.\nRefer to Common Identification Number A-04-05-15098.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'